Multi-tenancy - Cisco · Multi-tenancy ConfiguringMultipleLeaf. bridge-domain2 fabric-control...
Transcript of Multi-tenancy - Cisco · Multi-tenancy ConfiguringMultipleLeaf. bridge-domain2 fabric-control...
Multi-tenancy
• Feature Information for Multi-tenancy, on page 1• Multi-tenancy, on page 1• Bridge-Domain, on page 3• VN-Segment, on page 5• Bridge-Domain Interface, on page 9• Configuring Multiple Leaf, on page 10
Feature Information for Multi-tenancyTable 1: Feature Information for Multi-tenancy
Feature InformationReleasesFeature
Included a new chapter on Multi-tenancy .
Multi-tenant data center handles the traffic segregation between differenttenants.
7.2(0)D1(1)Multi-tenancy
Included a new section on VN-Segment.
VN-Segment network can support up to 16 million virtual networksegments.
7.2(0)D1(1)Segment ID
Multi-tenancyMulti-tenancy is a concept that refers to the logical isolation of shared virtual compute, storage, and networkresources. In multi-tenant data center, tenants subscribe to virtual data center (VDC), and based on the serviceshosted by the tenants I within the virtual data center, each virtual data center can have multiple VN-Segments.
Multi-tenancy1
Figure 1: Multi-tenant Data Center
The above figure depicts two virtual data centers assigned to different tenants. For example Coke and Pepsi,each virtual data center has virtual data center elements like virtual machines (VM), storage inter-connectedby a VN-Segment.
Multi-tenant data center handles the traffic segregation between different tenants, and also within tenant traffic,for security and privacy. Data centers have deployed VLANs to isolate the machines of different tenants ona single Layer-2 network. This could be extended to the virtualized data centers by having the hypervisorencapsulate VM packets with a VLAN tag corresponding to the VM owners. This approach provides a Layer-2abstraction to the tenants and, with VRF, it can completely virtualize the Layer-2 and Layer-3 address spaces.However, the VLAN is a 12-bit field in the VLAN header, limiting this to at most 4K tenants. Also, multi-tenantnetwork should provide tenants with simple and flexible network abstractions, by completely and efficientlyvirtualizing the address space at both Layer-2 and Layer-3 for each tenant, without any restrictions on thetenant's choice of Layer-2 or Layer-3 addresses. Also, tenants might want to extend their IT services or storagenetwork which uses non-IP protocols such as Fibre Channel over Ethernet (FCOE). These protocols may beimportant for tenants trying to move the existing applications into service provider data center (SPDC) anddoes not support in a network that has no Layer-2 abstraction. Similarly, these tenants will benefit from theSPDC that supports tenant-level broadcast or multicast trees. In order to maximize the benefits of resourcesharing, which provides multiplexing to achieve better resource efficiency and cost saving, multi-tenant datacenters must scale to larger size to accommodate more tenants and VMs. Maintaining such large multi-tenantdata centers can be expensive and hence multi-tenant data centers require automated configuration and
Multi-tenancy2
Multi-tenancyMulti-tenancy
management tools to reduce the cost. Also with the large scale Layer-2 multi-tenant data center needs highbi-sectional bandwidth and this can be achieved by using Layer-2multi-pathing short path bridging technologieslike FabricPath and TRILL, which also addresses theMAC address scale issues required for per-tenant Layer-2abstraction.
Another important requirement for multi-tenant data center is to support the mobility of VMs within andacross SPDC, and also into enterprise data centers. Mobility within SPDC allows for dynamic tenant growthand maximizes resource utilization and sharing. For instance, if a tenant needs to add a VM to the existingSPDC POD but all the servers are overloaded then the VM for the tenant can be accommodated on anotherSPDC POD, which has the capacity and is available in server. This means that the VN-Segment must be ableto extend virtually anywhere within and across multi-tenant data center.
Bridge-Domain
This section is applicable only for multi-tenancy full version.Note
A bridge-domain is a generic object that represents a Layer-2 broadcast domain on a device. Either a VLANor a bridge-domain with the same number can exist. The bridge-domain range needs to be carved out fromthe 4096 VLAN range. The reserved VLANs cannot be used as a bridge-domain. All the carved outbridge-domain can be used as user/tenant bridge-domain.
The following is an example to carve out the bridge-domain range:
system bridge-domain 10-3000
Given above is the entire set of bridge-domains that can be used on the switch. For bridge-domain to be usedfor different VRFs you need to define a fabric bridge-domain range. Out of this range of user bridge-domains,a subset of bridge-domains can be designated as fabric bridge-domains. The corresponding BDIs will bereserved as fabric BDIs.
The following example shows allocating fabric bridge-domains:
system fabric bridge-domain 2001-3000
This will designate bridge-domains 2001-3000 to be used as fabric bridge-domains. Fabric bridge-domainsare used as part of applying the vrf-tenant-profile. The remaining bridge-domains (10-2000) are userbridge-domains. They will be used to map tenant VNIs on the switch.
Do not create, delete, or edit a bridge domain in the fabric bridge domain range. These are created whenevera new VRF is created and is removed when the VRF is removed.
Note
A fabric-control bridge-domain is configured from the range of user bridge-domains only (in this case 10-2000).The fabric control bridge-domain/VLAN needs to be defined for control traffic to propagate. There can onlybe one fabric control bridge-domain or a VLAN in the system.
Use of VLAN 1 as fabric control is not allowed.Note
Multi-tenancy3
Multi-tenancyBridge-Domain
Configuring Bridge-Domain
SUMMARY STEPS
1. configure terminal2. [no] system bridge-domain { bd-list | add bd-list | all | except bd-list | none | remove bd-list }3. [no] system fabric bridge-domain { bd-list | add bd-list | all | except bd-list | none | remove bd-list }4. [no] bridge-domain {bd-id | bd-range}5. [no] fabric-control6. show bridge-domain summary7. show bridge-domain id8. copy running-config startup-config
DETAILED STEPS
PurposeCommand or Action
Enters configuration mode.configure terminal
Example:
Step 1
switch# configure terminal
Identifies the IDs that are available for bridge-domainconfigurations.
[no] system bridge-domain { bd-list | add bd-list | all |except bd-list | none | remove bd-list }
Example:
Step 2
• The valid range for the ID argument is from 2 to 3967.switch(config)# system bridge-domain add 100-200 • (Optional) The id keyword and argument combination
identifies the last ID in a range of contiguous IDs. Thehyphen (-) is mandatory.
• (Optional) The arguments like add, remove, all, except,none can be used for adding, removing, adding all,adding all except and removing all respectively.
Identifies the IDs that are available for fabric bridge-domainconfiguration. This command has same option as the
[no] system fabric bridge-domain { bd-list | add bd-list| all | except bd-list | none | remove bd-list }
Step 3
previous command but the range it can act on is only theexisting system bridge-domain carved out range.Example:
switch(config)# system fabric bridge-domain 151-200
Enters bridge-domain configuration mode and configuresa bridge-domain. The domain-ID argument is a unique
[no] bridge-domain {bd-id | bd-range}
Example:
Step 4
identifier for the bridge-domain and underlying VLAN toswitch(config)# bridge-domain 100-110switch(config-bdomain)#
be created. The valid range is defined by the systembridge-domain configuration.
You can use the no form of this command toremove the bridge-domain configurationincluding port associations. Removing thebridge-domain configuration does remove theunderlying VLAN and all the bridge-domainproperties.
Note
Multi-tenancy4
Multi-tenancyConfiguring Bridge-Domain
PurposeCommand or Action
Make the bridge-domain as the fabric controlbridge-domain. Only one bridge-domain or a VLAN canbe configured as fabric control.
[no] fabric-control
Example:switch(config)# bridge-domain 100switch(config-bdomain)# fabric-control
Step 5
(Optional) To show the bridge-domain configuration.Similar to show vlan summary.
show bridge-domain summary
Example:
Step 6
switch# show bridge-domain summary
(Optional) To show whether the bridge-domain is createdor not. Also to show any bridge-domain property configuredunder it.
show bridge-domain id
Example:switch# show bridge-domain 100
Step 7
(Optional) Saves this configuration change.copy running-config startup-config
Example:
Step 8
switch(config-if)# copy running-configstartup-config
Example
The following example shows how to create a bridge-domain:
switch# configure terminalswitch(config)# system bridge-domain 100-200switch(config)# bridge-domain 100switch(config-bdomain)# name Cisco:tenant1switch(config-bdomain)# no shutdownswitch(config-bdomain)# exitswitch(config)#switch(config)# bridge-domain 101switch(config-bdomain)# fabric-controlswitch(config-bdomain)# name fabric-control_BDswitch(config-bdomain)# no shutdownswitch(config-bdomain)# exit
VN-SegmentVN-Segment network can support up to 16 million virtual network segments (also called Virtual NetworkIdentifiers) and VN-Segment has global significance in Layer-2 network. In multi-tenant applications, tenanttraffic can still be received as “Dot1Q” tagged that need to be classified to the VN-Segment assigned to thosetenants. VN-Segment is the extension of VLANs – both need to coexist. VLAN range is from 1-4095 andVN-Segment (VNI) range is from 4096-16 Million.
Multi-tenancy5
Multi-tenancyVN-Segment
For release 7.2(0)N1(1), to modify the VN-Segment of a VLAN, you must delete any existing VN-Segmentmapping to add the new VN-Segment mapping.
Note
Configuring VN-Segment
SUMMARY STEPS
1. configure terminal2. feature vni3. vni <vni range>4. shutdown/no shutdown vni5. member vni <vni-range>6. encapsulation profile vni <profile-name>7. service instance vni8. shutdown/no shutdown vsi9. encapsulation profile vsi10. copy running-config startup-config
DETAILED STEPS
PurposeCommand or Action
Enters configuration mode.configure terminal
Example:
Step 1
switch# configure terminal
Enables feature VNI or Segmentation.feature vni
Example:
Step 2
switch(config)# feature vni
Creates a range of VNIs.vni <vni range>
Example:
Step 3
switch(config)# vni 5000-5002, 5005
Shuts down a range of VNIs.shutdown/no shutdown vni
Example:
Step 4
Switch(config)# vni 5000-5001switch(config-vni)# [no] shutdown
Configures VNIs as members under a range ofbridge-domains.
member vni <vni-range>
Example:
Step 5
switch(config)# bridge-domain 10-12switch(config-bdomain)# [no] member vni 5000-5002
Multi-tenancy6
Multi-tenancyConfiguring VN-Segment
PurposeCommand or Action
Creates an encapsulation profile named cisco with dot1q20 mapped to vni 5000.
encapsulation profile vni <profile-name>
Example:
Step 6
switch(config)# [no] encapsulation profile vniciscoswitch(config-vni-encap-prof)# [no] dot1q 20 vni5000
Creates a numbered VSI under parent port interfaceEthernet 3/1 and 3/2.
service instance vni
Example:
Step 7
switch(config)# interface ethernet 3/1switch(config-if)# service instance 1 vni
switch(config)# interface ethernet 3/2switch(config-if)# service instance vni default
Shuts a numbered VSI.shutdown/no shutdown vsi
Example:
Step 8
switch(config-if)# service instance 1 vniswitch(config-if-srv)# [no] shut
Applies the encapsulation profile to a VSI.encapsulation profile vsi
Example:
Step 9
switch(config-if)# service instance 1 vniswitch(config-if-srv-def)# encapsulation profilecisco default
(Optional) Saves this configuration change.copy running-config startup-config
Example:
Step 10
switch(config-if)# copy running-configstartup-config
Detailed StepsThe 'Feature vni' or segmentation can be enabled only when the virtual device context has been limited to F3.
switch(config)# feature vniFeature vni requires F3 or newer linecardsswitch(config)# vdc switchswitch(config-vdc)# limit-resource module-type f3This will cause all ports of unallowed types to be removed from this vdc. Continue (y/n)?[yes] yesswitch(config-vdc)# feature vni
There has to be 1:1 mapping between VNI and bridge-domain. VNI has global significance in the Layer-2network while bridge-domains remain local to the virtual data center (switch). Bridge-domains would haveVNIs as members.
Commands to create a VNI and adding the VNI under a bridge-domain.
switch(config)# [no] vni 5000-5002switch(config-vni)# [no] shutdown
Multi-tenancy7
Multi-tenancyDetailed Steps
switch(config)# bridge-domain 50-52switch(config-bdomain)# [no] member vni 5000-5002
Existing legacy IEEE 802.1Q switches and End-host/Servers, capable of sending dot1q tagged traffic, shouldbe able to connect to VN-Segment supported network. This capability is provided by VN-Segment ServiceInstance (VSI). VN-Segment Service Instance Ports on the VN-Segment capable switch allows to map thedot1q tagged frames received on that port uniquely to a VN-Segment (VNI).
An encapsulation profile like a template needs to be created to define the dot1q to VNI mappings.
Command to create an encapsulation profile template named cisco and add/delete a dot1q to VNI mappingunder it.
switch(config)# [no] encapsulation profile vni ciscoswitch(config-vni-encap-prof)# [no] dot1q 20 vni 5000
Command to create an encapsulation profile template named cisco and add/delete the untagged frame VNImapping under it.
switch(config)# [no] encapsulation profile vni ciscoswitch(config-vni-encap-prof)# [no] untagged vni 6000
There are two types of VSIs - Numbered VSI and Default VSI. VSIs can be created under a physical port ora port channel. Numbered VSI range is from 1-4094 while 4095 VSI ID is reserved for default VSI. Thedefault VSIs are by default set to admin up always. Note that a default VSI and a numbered VSI cannot existtogether under the same parent port. Multiple numbered VSIs can be created under same parent port.
Command to create a numbered VSI and apply encapsulation profile under it.
switch(config)# interface ethernet3/1switch(config-if)# service instance 1 vniswitch(config-if-srv)# no shutswitch(config-if-srv)# encapsulation profile cisco default
Command to create a default VSI with cisco as the encapsulation profile.
switch(config)# interface ethernet3/2switch(config-if)# service instance vni defaultswitch(config-if-srv-def)# encapsulation profile cisco default
Sample VNI & VSI configuration:
switch(config)# vni 5000-5002switch(config-vni)# no shutdownswitch(config-vni)# exitswitch(config)# bridge-domain 50-52switch(config-bdomain)# member vni 5000-5002switch(config-bdomain)# exitswitch(config)# encapsulation profile vni ciscoswitch(config-vni-encap-prof)# dot1q 20-22 vni 5000-5002switch(config-vni-encap-prof)# exitswitch(config)# interface ethernet9/1switch(config-if)# no shutdownswitch(config-if)# service instance vni defaultswitch(config-if-srv-def)# encapsulation profile cisco default
Multi-tenancy8
Multi-tenancyDetailed Steps
Bridge-Domain InterfaceA bridge-domain interface (BDI), is a virtual routed interface that connects a bridge-domain on the device tothe Layer-3 router engine on the same device. Only one BDI can be associated with a bridge-domain. Youmust configure a BDI for a bridge-domain only when you want to route between bridge-domains or to provideIP host connectivity to the device through a virtual routing and forwarding (VRF) instance that is not themanagement VRF.
• You must enable the VLAN network interface feature before you can configure it.
• You must configure the BDI in the same virtual device context as the bridge-domain.
• You must create the bridge-domain range in the virtual device context, and BDI can only be created forthat range. The configurations under a BDI are same as that under VLAN interface.
• You can route across BDI to provide Layer-3 inter-bridge-domain routing by configuring a BDI for eachbridge-domain that you want to route traffic to and assigning an IP address on the BDI.
Configuring Bridge-Domain Interface
Before you begin
• Ensure that you are in the correct virtual data center (or use the switchto vdc command)
SUMMARY STEPS
1. configure terminal2. feature interface-vlan3. interface bdi4. ip address5. ipv6 address6. show interface bdi7. copy running-config startup-config
DETAILED STEPS
PurposeCommand or Action
Enters configuration mode.configure terminal
Example:
Step 1
switch# configure terminal
Enables BDI mode.feature interface-vlan
Example:
Step 2
switch(config)# feature interface-vlan
Creates a BDI. The number range specified in systembridge-domain command.
interface bdi
Example:
Step 3
Multi-tenancy9
Multi-tenancyBridge-Domain Interface
PurposeCommand or Actionswitch(config)# interface bdi 10
Configures an IP address for this BDI.ip address
Example:
Step 4
switch(config-if)# ip address 192.0.2.1/8
Configures an IPv6 address for this BDI.ipv6 address
Example:
Step 5
switch(config-if)# ipv6 address 2001:0DB8::1/8
(Optional) Displays the Layer-3 interface statistics.show interface bdi
Example:
Step 6
switch(config-if)# show interface vlan 10
(Optional) Saves this configuration change.copy running-config startup-config
Example:
Step 7
switch(config-if)# copy running-configstartup-config
Example
The following example shows how to create a BDI:
switch# configure terminalswitch(config)# feature interface-vlanswitch(config)# interface bdi 10switch(config-if)# ip address 192.0.2.1/8switch(config-if)# copy running-config startup-config
Configuring Multiple LeafThe following example shows the multi-tenancy support at leaf using VRFs:
system bridge-domain 2-3967system fabric bridge-domain 3001-3967
configure profile vrf-tenant-profilevni $vrfSegmentIdbridge-domain $bridgeDomainIdmember vni $vrfSegmentIdinterface bdi $bridgeDomainIdvrf member $vrfNameip forwardipv6 forwardno shutdown
configure terminal
bridge-domain 2,10-11
Multi-tenancy10
Multi-tenancyConfiguring Multiple Leaf
bridge-domain 2fabric-controlbridge-domain 2,10-11member vni 5000,10010-10011
vrf context Cisco:vrf1vni 20000ipv6 pim ssm range ff30::/12rd autoaddress-family ipv4 unicastroute-target both autoaddress-family ipv6 unicastroute-target both auto
interface Bdi10no shutdownvrf member Cisco:vrf1ip address 100.1.1.1/24fabric forwarding mode anycast-gateway
interface Bdi11no shutdownvrf member Cisco:vrf1ip address 100.1.2.1/24fabric forwarding mode proxy-gateway
Multi-tenancy11
Multi-tenancyConfiguring Multiple Leaf
Multi-tenancy12
Multi-tenancyConfiguring Multiple Leaf